Steve Devine <[EMAIL PROTECTED]> writes: > Does the order of the enctypes listed in the kdc affect this?
In my experience, the enctype list should match exactly. It doesn't matter what order you list the enctypes in; if you have enctypes on the krbtgt key that aren't present in Windows, you may lose. So, in this case: > This is my current kdc.conf entry: > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > des-cbc-crc:v4 des-cbc-crc:afs3 you need to explicitly specify -e des-cbc-crc:normal when creating the krbtgt cross-realm keys. Otherwise you'll get a des3 key in your KDC and since Windows doesn't support des3, you'll lose. Also, if you're entering a password to create this key, be very careful of the salting algorithm. I think that you'll need to fix that on the Windows side, since IIRC MIT Kerberos can't do the Windows salt but Windows can do the MIT salt (if configured correctly), but it's been a long time and I'm forgetting the details. > I'm not sure how to manipulate the kvno on the AD It depends on the version of Windows. Sometimes you can't at all. And regardless, since on the MIT side you can just use modprinc -kvno, it's way easier to make the MIT side match Windows than vice versa. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
